General

  • Target

    311718335437b77a728b4b4bb7b1c46129fdbcb78012a4a6698b59b2d23d9713

  • Size

    394KB

  • Sample

    240427-fylwwacf7t

  • MD5

    41a7a009bd832a0d930d20b0ccfac2a1

  • SHA1

    e625c2c506cc58fd0b6fb74475f96aa586ad8ef5

  • SHA256

    311718335437b77a728b4b4bb7b1c46129fdbcb78012a4a6698b59b2d23d9713

  • SHA512

    53e504051f17d365fefaa089d6521a697d890be98850fdcad18484b8cd75b7e2d02f8f563b451b7372b911ca0fbe4e670e90c4bdcb2c03f1ec82567db322ab50

  • SSDEEP

    6144:fsJVip+l5fK53hCfPr+ICF1ggQyGiezkMza:fszip+7K52P/+tQdq

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.111

Attributes
  • url_path

    /f993692117a3fda2.php

Targets

    • Target

      311718335437b77a728b4b4bb7b1c46129fdbcb78012a4a6698b59b2d23d9713

    • Size

      394KB

    • MD5

      41a7a009bd832a0d930d20b0ccfac2a1

    • SHA1

      e625c2c506cc58fd0b6fb74475f96aa586ad8ef5

    • SHA256

      311718335437b77a728b4b4bb7b1c46129fdbcb78012a4a6698b59b2d23d9713

    • SHA512

      53e504051f17d365fefaa089d6521a697d890be98850fdcad18484b8cd75b7e2d02f8f563b451b7372b911ca0fbe4e670e90c4bdcb2c03f1ec82567db322ab50

    • SSDEEP

      6144:fsJVip+l5fK53hCfPr+ICF1ggQyGiezkMza:fszip+7K52P/+tQdq

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks